b'         OFFICE OF INSPECTOR GENERAL \n\n\n\n\n                                  Catalyst for Improving the Environment\n\n\nSpecial Report\n\n\n\n       Fiscal Year 2007\n       Federal Information Security\n       Management Act Report\n\n       Status of EPA\xe2\x80\x99s Computer Security Program\n\n\n       Report No. 2007-S-00003\n\n       September 25, 2007\n\x0cReport Contributors:\t   Rudolph M. Brevard\n                        Vincent Campbell\n                        Sejal Shah\n                        Sabrena Stewart\n\x0c                     UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                  WASHINGTON, D.C. 20460\n\n\n                                                                                    OFFICE OF\n                                                                               INSPECTOR GENERAL\n\n\n\n                                       September 25, 2007\n\nMEMORANDUM\n\nSUBJECT:\t         Fiscal Year 2007 Federal Information Security Management Act Report:\n                  Status of EPA\xe2\x80\x99s Computer Security Program\n                  Report No. 2007-S-00003\n\n\nFROM:             Patricia H. Hill\n                  Assistant Inspector General for Mission Systems\n\nTO:\t              Stephen L. Johnson\n                  Administrator\n\n\nAttached is the Office of Inspector General\xe2\x80\x99s Fiscal Year 2007 Federal Information Security\nManagement Act Reporting Template, as prescribed by the Office of Management and Budget\n(OMB). In addition, Appendix A synopsizes the results of our significant Fiscal Year 2007\ninformation security audits.\n\nIn accordance with OMB reporting instructions, I am forwarding this report to you for\nsubmission, along with the Agency\xe2\x80\x99s required information, to the Director, Office of\nManagement and Budget.\n\x0c                                                                   Section C - Inspector General: Questions 1 and 2\nAgency Name:                                               Environmental Protection Agency                                                      Submission date:              21-Sep-07\n                                                                               Question 1: FISMA Systems Inventory\n\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS 199 system impact level (high,\nmoderate, low, or not categorized). Extend the worksheet onto subsequent pages if necessary to include all Component/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a contractor of an agency or other\norganization on behalf of an agency. The total number of systems shall include both agency systems and contractor systems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore, self reporting by contractors\ndoes not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared\nresponsibility for FISMA compliance.\n\n\n                                               Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n\n2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and percentage of systems which\nhave: a current certification and accreditation, security controls tested and reviewed within the past year, and a contingency plan tested in accordance with policy.\n\n                                                                                                         Question 1                                                    Question 2\n                                                                                      a.                     b.                  c.                    a.                 b.                 c.\n                                                                                Agency Systems       Contractor Systems   Total Number of          Number of          Number of         Number of\n                                                                                                                             Systems            systems certified systems for which systems for which\n                                                                                                                           (Agency and           and accredited    security controls contingency plans\n                                                                                                                            Contractor                             have been tested have been tested\n                                                                                                                             systems)                              and reviewed in in accordance with\n                                                                                                                                                                     the past year         policy\n\n\n\n                                                                                                                                      Total\n                                                          FIPS 199 System                  Number          Number   Total                     Total       Percent     Total   Percent     Total   Percent\nBureau Name                                                                    Number              Number                            Number\n                                                          Impact Level                    Reviewed        Reviewed Number                    Number       of Total   Number   of Total   Number   of Total\n                                                                                                                                    Reviewed\nOffice of Administrator                                   High                        0          0          0         0         0           0         0                   0                   0\n                                                          Moderate                    2          0          0         0         2           0         0                   0                   0\n                                                          Low                         1          0          0         0         1           0         0                   0                   0\n                                                          Not Categorized             0          0          0         0         0           0         0                   0                   0\n                                                          Sub-total                   3          0          0         0         3           0         0                   0                   0\nOffice of Air and Radiation                               High                        1          1          0         0         1           1         1      100%         0        0%         0\n                                                          Moderate                   11          1          1         0        12           1         0        0%         1      100%         0\n                                                          Low                         6          0          1         0         7           0         0                   0                   0\n                                                          Not Categorized             0          0          0         0         0           0         0                   0                   0\n                                                          Sub-total                  18          2          2         0        20           2         1       50%         1       50%         0\nOffice of Admininstration and Resource Management         High                        0          0          0         0         0           0         0                   0                   0\n                                                          Moderate                   11          2          2         0        13           2         1       50%         1       50%         0\n                                                          Low                         0          0          0         0         0           0         0                   0                   0\n                                                          Not Categorized                        0          0         0         0           0         0                   0                   0\n                                                          Sub-total                  11          2          2         0        13           2         1       50%         1       50%         0\nOffice of Chief Financial Officer                         High                        0          0          0         0         0           0         0                   0                   0\n                                                          Moderate                   16          4          0         0        16           4         3       75%         1       25%         0\n                                                          Low                         2          0          0         0         2           0         0                   0                   0\n                                                          Not Categorized             0          0          0         0         0           0         0                   0                   0\n                                                          Sub-total                  18          4          0         0        18           4         3       75%         1       25%         0\nOffice of Environmental Information                       High                        0          0          0         0         0           0         0                   0                   0\n                                                          Moderate                   16          0          6         1        22           1         1      100%         0         0%        0\n                                                          Low                        16          0          3         0        19           0         0                   0                   0\n                                                          Not Categorized             0          0          0         0         0           0         0                   0                   0\n                                                          Sub-total                  32          0          9         1        41           1         1      100%         0                   0\nOffice of General Counsel                                 High                        0          0          0         0         0           0         0                   0                   0\n                                                          Moderate                    1          0          0         0         1           0         0                   0                   0\n                                                          Low                         0          0          0         0         0           0         0                   0                   0\n                                                          Not Categorized             0          0          0         0         0           0         0                   0                   0\n                                                          Sub-total                   1          0          0         0         1           0         0                   0                   0\nOffice of International Activities                        High                        0          0          0         0         0           0         0                   0                   0\n                                                          Moderate                    0          0          0         0         0           0         0                   0                   0\n                                                          Low                         0          0          0         0         0           0         0                   0                   0\n                                                          Not Categorized             0          0          0         0         0           0         0                   0                   0\n                                                          Sub-total                   0          0          0         0         0           0         0                   0                   0\nOffice of Inspector General                               High                        0          0          0         0         0           0         0                   0                   0\n                                                          Moderate                    7          1          0         0         7           1         1      100%         0                   0\n                                                          Low                         1          0          0         0         1           0         0                   0                   0\n                                                          Not Categorized             0          0          0         0         0           0         0                   0                   0\n                                                          Sub-total                   8          1          0         0         8           1         1      100%         0                   0\nOffice of Prevention Pesticides and Toxic Substances      High                        0          0          0         0         0           0         0                   0                   0\n                                                          Moderate                    6          1          1         0         7           1         0        0%         1      100%         0\n                                                          Low                         1          0          0         0         1           0         0                   0                   0\n                                                          Not Categorized             0          0          0         0         0           0         0                   0                   0\n                                                          Sub-total                   7          1          1         0         8           1         0                   1      100%         0\nOffice of Research and Development                        High                        0          0          0         0         0           0         0                   0                   0\n                                                          Moderate                    7          2          0         0         7           2         1       50%         1       50%         0\n                                                          Low                         8          0          0         0         8           0         0                   0                   0\n                                                          Not Categorized             0          0          0         0         0           0         0                   0                   0\n                                                          Sub-total                  15          2          0         0        15           2         1       50%         1       50%         0\nOffice of Solid Waste and Emergency Response              High                        0          0          0         0         0           0         0                   0                   0\n                                                          Moderate                    4          1          1         0         5           1         0                   1      100%         0\n                                                          Low                         4          0          1         0         5           0         0                   0                   0\n                                                          Not Categorized             0          0          0         0         0           0         0                   0                   0\n                                                          Sub-total                   8          1          2         0        10           1         0                   1      100%         0\nOffice of Enforcement and Compliance Assurance            High                        0          0          0         0         0           0         0                   0                   0\n                                                          Moderate                    8          1          0         0         8           1         0                   1      100%         0\n                                                          Low                         3          0          0         0         3           0         0                   0                   0\n                                                          Not Categorized             0          0          0         0         0           0         0                   0                   0\n                                                          Sub-total                  11          1          0         0        11           1         0                   1      100%         0\nOffice of Water                                           High                        0          0          0         0         0           0         0                   0                   0\n                                                          Moderate                    8          1          0         0         8           1         0                   1      100%         0\n                                                          Low                         0          0          0         0         0           0         0                   0                   0\n                                                          Not Categorized             0          0          0         0         0           0         0                   0                   0\n                                                          Sub-total                   8          1          0         0         8           1         0                   1      100%         0\n\n\n\n\n                                                                                                     1\n\x0c                                                                  Section C - Inspector General: Questions 1 and 2\nAgency Name:                                             Environmental Protection Agency                                                   Submission date:              21-Sep-07\n                                                                                                      Question 1                                                  Question 2\n                                                                                     a.                   b.                   c.                  a.                 b.                 c.\n                                                                               Agency Systems     Contractor Systems    Total Number of        Number of          Number of         Number of\n                                                                                                                           Systems          systems certified systems for which systems for which\n                                                                                                                         (Agency and         and accredited    security controls contingency plans\n                                                                                                                          Contractor                           have been tested have been tested\n                                                                                                                           systems)                            and reviewed in in accordance with\n                                                                                                                                                                 the past year         policy\n\n\n\n                                                                                                                                  Total\n                                                         FIPS 199 System                Number          Number   Total                    Total      Percent     Total   Percent     Total   Percent\nBureau Name                                                                   Number            Number                           Number\n                                                         Impact Level                  Reviewed        Reviewed Number                   Number      of Total   Number   of Total   Number   of Total\n                                                                                                                                Reviewed\nRegion 1                                            High                        0        0         0         0          0       0          0                   0                    0\n                                                    Moderate                    1        0         0         0          1       0          0                   0                    0\n                                                    Low                         0        0         0         0          0       0          0                   0                    0\n                                                    Not Categorized             0        0         0         0          0       0          0                   0                    0\n                                                    Sub-total                   1        0         0         0          1       0          0                   0                    0\nRegion 2                                            High                        0        0         0         0          0       0          0                   0                    0\n                                                    Moderate                    2        0         0         0          2       0          0                   0                    0\n                                                    Low                         0        0         0         0          0       0          0                   0                    0\n                                                    Not Categorized             0        0         0         0          0       0          0                   0                    0\n                                                    Sub-total                   2        0         0         0          2       0          0                   0                    0\nRegion 3                                            High                        0        0         0         0          0       0          0                   0                    0\n                                                    Moderate                    1        1         0         0          1       1          1    100%           0                    0\n                                                    Low                         0        0         0         0          0       0          0                   0                    0\n                                                    Not Categorized             0        0         0         0          0       0          0                   0                    0\n                                                    Sub-total                   1        1         0         0          1       1          1    100%           0                    0\nRegion 4                                            High                        0        0         0         0          0       0          0                   0                    0\n                                                    Moderate                    1        0         0         0          1       0          0                   0                    0\n                                                    Low                         0        0         0         0          0       0          0                   0                    0\n                                                    Not Categorized             0        0         0         0          0       0          0                   0                    0\n                                                    Sub-total                   1        0         0         0          1       0          0                   0                    0\nRegion 5                                            High                        0        0         0         0          0       0          0                   0                    0\n                                                    Moderate                    2        0         0         0          2       0          0                   0                    0\n                                                    Low                         1        0         0         0          1       0          0                   0                    0\n                                                    Not Categorized             0        0         0         0          0       0          0                   0                    0\n                                                    Sub-total                   3        0         0         0          3       0          0                   0                    0\nRegion 6                                            High                        0        0         0         0          0       0          0                   0                    0\n                                                    Moderate                    1        0         0         0          1       0          0                   0                    0\n                                                    Low                         0        0         0         0          0       0          0                   0                    0\n                                                    Not Categorized             0        0         0         0          0       0          0                   0                    0\n                                                    Sub-total                   1        0         0         0          1       0          0                   0                    0\nRegion 7                                            High                        0        0         0         0          0       0          0                   0                    0\n                                                    Moderate                    1        0         0         0          1       0          0                   0                    0\n                                                    Low                         0        0         0         0          0       0          0                   0                    0\n                                                    Not Categorized             0        0         0         0          0       0          0                   0                    0\n                                                    Sub-total                   1        0         0         0          1       0          0                   0                    0\nRegion 8                                            High                        0        0         0         0          0       0          0                   0                    0\n                                                    Moderate                    1        0         0         0          1       0          0                   0                    0\n                                                    Low                         1        0         0         0          1       0          0                   0                    0\n                                                    Not Categorized             0        0         0         0          0       0          0                   0                    0\n                                                    Sub-total                   2        0         0         0          2       0          0                   0                    0\nRegion 9                                            High                        0        0         0         0          0       0          0                   0                    0\n                                                    Moderate                    1        0         1         0          2       0          0                   0                    0\n                                                    Low                         0        0         0         0          0       0          0                   0                    0\n                                                    Not Categorized             0        0         0         0          0       0          0                   0                    0\n                                                    Sub-total                   1        0         1         0          2       0          0                   0                    0\nRegion 10                                           High                        0        0         0         0          0       0          0                   0                    0\n                                                    Moderate                    1        0         0         0          1       0          0                   0                    0\n                                                    Low                         0        0         0         0          0       0          0                   0                    0\n                                                    Not Categorized             0        0         0         0          0       0          0                   0                    0\n                                                    Sub-total                   1        0         0         0          1       0          0                   0                    0\nAgency Totals                                       High                        1        1         0         0          1       1          1    100%           0        0%          0\n                                                    Moderate                  109       15        12         1       121       16          8      50%          8       50%          0\n                                                    Low                        44        0         5         0         49       0          0                   0                    0\n                                                    Not Categorized             0        0         0         0          0       0          0                   0                    0\n                                                    Total and 1 Contractor system)\nComments: OIG reviewed 17 EPA systems (16 Agency systems                      154 for compliance\n                                                                                        16        17 Federal Certification\n                                                                                                 with        1       171 and Accreditation\n                                                                                                                               17          9(C&A) 53%          8\n                                                                                                                                                  or security controls 47%          0\n                                                                                                                                                                       testing requirements.\nFor each system selected for review, the OIG evaluated the system for compliance with either the Federal C&A or the security control testing requirements. As such, the percentage columns for\nquestions 2a & b represent the percentage of systems evaluated in relationship to the total number of systems operated by the respective EPA program or regional office. Likewise, the percentage rate\ndoes not represent the rate in which the reviewed system complied with the evaluated Federal security requirement. The OIG did not test EPA systems for compliance with Federal contingency plan\nrequirements.\n\n\n\n\n                                                                                                  2\n\x0c                                             Section C - Inspector General: Question 3\nAgency Name:   Environmental Protection Agency\n               Question 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\n\n      3.a.     The agency performs oversight and evaluation to ensure information systems used or operated by a\n               contractor of the agency or other organization on behalf of the agency meet the requirements of\n               FISMA, OMB policy and NIST guidelines, national security policy, and agency policy.\n\n               Agencies are responsible for ensuring the security of information systems used by a contractor of their\n               agency or other organization on behalf of their agency; therefore, self reporting by contractors does not meet\n               the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider,\n                                                                                                                              Almost Always (96-100% of\n               may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n                                                                                                                              the time)\n               Response Categories:\n                - Rarely- for example, approximately 0-50% of the time\n                - Sometimes- for example, approximately 51-70% of the time\n                - Frequently- for example, approximately 71-80% of the time\n                - Mostly- for example, approximately 81-95% of the time\n                - Almost Always- for example, approximately 96-100% of the time\n\n               The agency has developed a complete inventory of major information systems (including major\n      3.b.     national security systems) operated by or under the control of such agency, including an\n               identification of the interfaces between each such system and all other systems or networks,\n               including those not operated by or under the control of the agency.\n                                                                                                                            Inventory is 96-100%\n               Response Categories:                                                                                         complete\n                - The inventory is approximately 0-50% complete\n                - The inventory is approximately 51-70% complete\n                - The inventory is approximately 71-80% complete\n                - The inventory is approximately 81-95% complete\n                - The inventory is approximately 96-100% complete\n\n      3.c.     The IG generally agrees with the CIO on the number of agency-owned systems. Yes or No.                                  Yes\n\n               The IG generally agrees with the CIO on the number of information systems used or operated by a\n      3.d.                                                                                                                             Yes\n               contractor of the agency or other organization on behalf of the agency. Yes or No.\n\n      3.e.     The agency inventory is maintained and updated at least annually. Yes or No.                                            Yes\n\n               If the Agency IG does not evaluate the Agency\'s inventory as 96-100% complete, please identify the known missing systems by\n      3.f.     Component/Bureau, the Unique Project Identifier (UPI) associated with the system as presented in your FY2008 Exhibit 53 (if\n               known), and indicate if the system is an agency or contractor system.\n\n                                                                                                                               Agency or\n                                                                                                Exhibit 53 Unique Project\n                         Component/Bureau                          System Name                                                 Contractor\n                                                                                                     Identifier (UPI)\n                                                                                                                                system?\n\n\n\n\n               Number of known systems missing from\n               inventory:\n\n\n\n\n                                                                       3\n\x0c                                                 Section C - Inspector General: Questions 4 and 5\nAgency Name: Environmental Protection Agency\n                                    Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\nAssess whether the agency has developed, implemented, and is managing an agency-wide plan of action and milestones (POA&M) process. Evaluate\nthe degree to which each statement reflects the status in your agency by choosing from the responses provided. If appropriate or necessary, include\ncomments in the area provided.\n\nFor each statement in items 4.a. through 4.f., select the response category that best reflects the agency\'s status.\n\nResponse Categories:\n - Rarely- for example, approximately 0-50% of the time\n - Sometimes- for example, approximately 51-70% of the time\n - Frequently- for example, approximately 71-80% of the time\n - Mostly- for example, approximately 81-95% of the time\n - Almost Always- for example, approximately 96-100% of the time\n                   The POA&M is an agency-wide process, incorporating all known IT security weaknesses\n       4.a.        associated with information systems used or operated by the agency or by a contractor of the       Almost Always (96-100% of the time)\n                   agency or other organization on behalf of the agency.\n                   When an IT security weakness is identified, program officials (including CIOs, if they own or\n       4.b.                                                                                                           Almost Always (96-100% of the time)\n                   operate a system) develop, implement, and manage POA&Ms for their system(s).\n                   Program officials and contractors report their progress on security weakness remediation to the\n       4.c.                                                                                                           Almost Always (96-100% of the time)\n                   CIO on a regular basis (at least quarterly).\n\n                   Agency CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly\n       4.d.                                                                                                           Almost Always (96-100% of the time)\n                   basis.\n\n       4.e.        IG findings are incorporated into the POA&M process.                                               Almost Always (96-100% of the time)\n\n                   POA&M process prioritizes IT security weaknesses to help ensure significant IT security\n       4.f.                                                                                                           Almost Always (96-100% of the time)\n                   weaknesses are addressed in a timely manner and receive appropriate resources.\n                   POA&M process comments:\n\n\n\n\n                                         Question 5: IG Assessment of the Certification and Accreditation Process\nProvide a qualitative assessment of the agency\'s certification and accreditation process, including adherence to existing policy, guidance, and\nstandards. Provide narrative comments as appropriate.\n\nAgencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems" (May 2004) for\ncertification and accreditation work initiated after May 2004. This includes use of the FIPS 199, "Standards for Security Categorization of Federal Information and\nInformation Systems" (February 2004) to determine a system impact level, as well as associated NIST document used as guidance for completing risk\nassessments and security plans.\n\n                   The IG rates the overall quality of the Agency\'s certification and accreditation process as:\n\n                   Response Categories:\n                    - Excellent\n       5.a.                                                                                                           Satisfactory\n                    - Good\n                    - Satisfactory\n                    - Poor\n                    - Failing\n\n                   The IG\'s quality rating included or considered the following aspects of the C&A process:           Security plan                        X\n                   (check all that apply)\n                                                                                                                      System impact level                  X\n                                                                                                                      System test and evaluation\n                                                                                                                      Security control testing             X\n       5.b.\n                                                                                                                      Incident handling\n                                                                                                                      Security awareness training\n                                                                                                                      Configurations/patching\n                                                                                                                      Other:\n                   Comment: The OIG evaluated nine EPA systems for compliance with selected Federal C&A requirements. Our review disclosed that all\n                   evaluated systems were complaint with the selected requirements. See question 5b for the evaluated C&A factors. Based on our limited\n                   review, we rated the Agency\'s C&A process as Satisfactory.\n\n\n\n\n                                                                                 4\n\x0c                                               Section C - Inspector General: Questions 6 and 7\nAgency Name: Environmental Protection Agency\n                       Question 6: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process\n\n              Provide a qualitative assessment of the agency\'s Privacy Impact Assessment (PIA)\n     6.a.\n              process, as discussed in Section D II.4 (SAOP reporting template), including adherence to\n              existing policy, guidance, and standards.\n\n              Response Categories:\n               - Response Categories:                                                                                                Satisfactory\n               - Excellent\n               - Good\n               - Satisfactory\n               - Poor\n               - Failing\n             Comments:\n             The EPA has implemented a Privacy Impact Assessment (PIA) process. The procedures are available on the Agency\'s Intranet. The OIG\'s\n             evaluation was based on whether applicable PIA guidance exist, was current, and available to the EPA personnel. The OIG did not test EPA\'s\n             implementation of the PIA guidance.\n\n\n\n              Provide a qualitative assessment of the agency\'s progress to date in implementing the\n     6.b.     provisions of M-06-15, "Safeguarding Personally Identifiable Information" since the most\n              recent self-review, including the agency\'s policies and processes, and the administrative,\n              technical, and physical means used to control and protect personally identifiable\n              information (PII).\n\n              Response Categories:                                                                                                   Satisfactory\n               - Response Categories:\n               - Excellent\n               - Good\n               - Satisfactory\n               - Poor\n               - Failing\n             Comments:\n             The Agency has developed an interim policy to address safeguarding personnally identifiable information. Additionally, employees were made\n             aware of the importance of safeguardning PII through the Agency\'s on-line FY2007 Information Security Awareness Training. However, the OIG\n             has identified some areas where EPA could improve its practices for approving the download and access to PII. The OIG plans to issue a\n             separate memorandum to the Chief Information Officer in October 2007 documenting our findings.\n\n\n                                                          Question 7: Configuration Management\n\n              Is there an agency-wide security configuration policy? Yes or No.                                                          Yes\n     7.a.\n             Comments:\n\n\n\n\n              Approximate the extent to which applicable information systems apply common security\n     7.b.     configurations established by NIST.\n\n              Response categories:\n               -   Rarely- for example, approximately 0-50% of the time\n               -   Sometimes- for example, approximately 51-70% of the time\n               -   Frequently- for example, approximately 71-80% of the time\n               -   Mostly- for example, approximately 81-95% of the time\n               -   Almost Always- for example, approximately 96-100% of the time\n             Comments: The OIG did not test EPA systems for compliance with NIST common security configurations. The OIG hired a contractor to\n             evaluate EPA\xe2\x80\x99s standard configuration documents (SCD) against NIST requirements, if available, or industry best practices. The contractor\n             noted that for all EPA SCDs selected for review, the SCD\xe2\x80\x99s content was consistent with a published authoritative document for securing the\n             applicable operating system platform. However, the contractor identified that EPA should take steps to update six of the reviewed SCDs.\n             Based on interviews with EPA officials, the contractor learnt that EPA is currently updating five of the SCDs in question. The contractor will\n             provide EPA with the final analysis for each reviewed SCD in a separate document.\n\n\n\n\n                                                                                   5\n\n\x0c                                          Section C - Inspector General: Questions 8, 9, 10 and 11\nAgency Name:       Environmental Protection Agency\n                                                            Question 8: Incident Reporting\nIndicate whether or not the agency follows documented policies and procedures for reporting incidents internally, to US-CERT, and to law\nenforcement. If appropriate or necessary, include comments in the area provided below.\n\n                 The agency follows documented policies and procedures for identifying and reporting\n      8.a.                                                                                                                    Yes\n                 incidents internally. Yes or No.\n                 The agency follows documented policies and procedures for external reporting to US-\n      8.b.                                                                                                                    Yes\n                 CERT. Yes or No. (http://www.us-cert.gov)\n                 The agency follows documented policies and procedures for reporting to law enforcement.\n      8.c.                                                                                                                    Yes\n                 Yes or No.\n                 Comments:\n\n\n\n\n                                                       Question 9: Security Awareness Training\nHas the agency ensured security awareness training of all employees, including contractors and those\nemployees with significant IT security responsibilities?\n\nResponse Categories:\n - Rarely- or approximately 0-50% of employees                                                             Almost Always (96-100% of employees)\n - Sometimes- or approximately 51-70% of employees\n - Frequently- or approximately 71-80% of employees\n - Mostly- or approximately 81-95% of employees\n - Almost Always- or approximately 96-100% of employees\n                                                        Question 10: Peer-to-Peer File Sharing\nDoes the agency explain policies regarding peer-to-peer file sharing in IT security awareness training,\n                                                                                                                              Yes\nethics training, or any other agency wide training? Yes or No.\n                                                   Question 11: E-Authentication Risk Assessments\nThe agency has completed system e-authentication risk assessments. Yes or No.                                                  No\n\n\n\n\n                 Comments: EPA has not completed e-authentication risk assesments for four applications.\n\n\n\n\n                                                                           6\n\x0c                                                                                   Appendix A\n\n         Summary of Significant Fiscal Year 2007\n                 Security Control Audits\nDuring Fiscal Year 2007, the U.S. Environmental Protection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s) Office of\nInspector General (OIG) initiated numerous audits of EPA\xe2\x80\x99s information technology security\nprogram and information systems. The following synopsizes key findings.\n\n1. EPA Could Improve Processes for Managing Contractor Systems and\n   Reporting Incidents, Report No. 2007-P-00007, January 11, 2007\n\nEPA had not established procedures to ensure identification of all contractor systems. EPA has\nnot ensured that information security requirements were accessible by the contractors and\nappropriately maintained. As a result, EPA system inventories may not include all appropriate\ncontractor systems, and its contractors may not be implementing adequate security safeguards.\n\nAlthough EPA offices were aware of the Agency\xe2\x80\x99s computer security incident response policy,\nmany offices lacked local reporting procedures, had not fully implemented automated monitoring\ntools, and did not provide sufficient training on local procedures. EPA offices also did not have\naccess to network attack trend information necessary to implement proactive defensive measures.\n\nIn response to our final report, Office of Environmental Information officials indicated that they\nhad complete actions on four of the report recommendations. The Office of Environmental\nInformation is continuing to work on updating the Agency\xe2\x80\x99s Information Security Manual, which\nwill provide Agency officials procedures for determining when contractor information systems\nare subject to Federal information security requirements. EPA has also updated its Computer\nSecurity Incident Response Capability procedures to better define the local incident handling\nprocedures. EPA indicated that it is also providing regular training to the information security\ncommunity on prioritizing security incidents and escalating notifications\n\n2. EPA Could Improve Controls Over Mainframe System Software, Report No.\n   2007-P-00008, January 29, 2007\n\nThe contractor that performed this review for the OIG identified several weaknesses in EPA\xe2\x80\x99s\ninternal controls over its mainframe system software, including:\n\n   \xe2\x80\xa2\t   Roles and responsibilities were not clearly assigned.\n   \xe2\x80\xa2\t   Change controls were not performed in accordance with Agency policies.\n   \xe2\x80\xa2\t   Policies, procedures, and guides could be strengthened.\n   \xe2\x80\xa2\t   Security settings for sensitive datasets and programs were not effectively configured or\n        implemented.\n\nAs a result of these weaknesses, EPA is exposed to greater risk since its mainframe system\nsoftware could potentially be comprised.\n                                                 7\n\n\x0c3. \t EPA Needs to Strengthen Financial Database Security Oversight and Monitor\n     Compliance, Report No. 2007-P-00017, March 29, 2007\n\nWe discovered weaknesses in how EPA offices (1) monitor databases for known security\nvulnerabilities, (2) communicate the status of critical system patches, and (3) monitor the use of\nand access to database administrator accounts and privileges. These weaknesses exist because\nEPA had not implemented security processes to (1) actively monitor systems that share data with\nthe Integrated Financial Management System, (2) share and collect information on the\nimplementation of critical system patches, and (3) effectively manage access controls. Without\nthese processes, the integrity of critical data in key Office of the Chief Financial Officer systems\ncould be undermined. As a result, the Office of the Chief Financial Officer cannot ensure that\nthe integrity of the data it provides to senior Agency officials is adequately protected. We also\nidentified specific technical weaknesses in three of the financial databases that share data with\nthe Integrated Financial Management System.\n\n4. EPA Needs to Strengthen Its Privacy Program Management Controls, Report\n   No. 2007-P-00035, September 17, 2007\n\nEPA needs to set up a more comprehensive management control structure to govern and oversee\nthe program. In particular, EPA needs to establish goals and activities for the Privacy Program\nand measure progress. Further, EPA needs to update its Privacy Program policies and establish\nprocesses to manage and make these policies available to responsible EPA personnel. Also, EPA\nneeds to set up compliance and accountability processes to ensure adherence with key Privacy\nProgram tenets. These weaknesses existed because of the low priority EPA managers placed on\nthe Privacy Program. A major loss of privacy information could result in substantial harm,\nembarrassment, and inconvenience to individuals. It could lead to identity theft or other\nfraudulent use of the information, which in addition to harming the individuals involved could be\ncostly to the Agency and its reputation.\n\n\n\n\n                                                  8\n\n\x0c                                                                               Appendix B\n\n                                    Distribution\n\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nAgency Followup Official\nAgency Followup Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nDirector, Office of Technology Operations and Planning\nSenior Agency Information Security Officer\nActing Inspector General\n\n\n\n\n                                              9\n\n\x0c'